Ok, before you put any more words into my mouth, lets go over the basics:
(in very simplistic terms for better understanding of the core concepts) What happens when a file is deleted depends on the filesystem upon which it resides. Windows/DOS simply marks the file for deletion simply by 'hiding' the file from view. On filesystems such as EXT2, for example, the directory entry is marked as unused, the inode block is the marked as unused as well as the file data block in its block allocation map. However, some information is still intact, such as the relation between the file inode and first 12 file data blocks, which allows for easy recovery of smaller files that within within 12 blocks. For other files however, recovery is still possible! Just because there is no relationship between the inode and file data block, doesn't mean that the content within the file data block is erased. In fact, it can still be intact long after deletion of the file. As well, shreds of data may still exist within the unused spaces within the last data blocks of a file for potential reassembly (file slack). Now, what wiping utilities try to do is OVERWRITE those portions of the disk such as all unused data blocks and file slack space where potential data can be recovered. Once overwritten, it is UNRECOVERABLE using forensic analysis tools such as EnCase, Byte-Back, Ontrack Recovery, etc. etc. However, this does not necessarily mean that it cannot be recovered using other PHYSICAL means by closely examining information within the magnetic domains using specialized equipment, i.e. the physical components of the drive; disk platters, cache chips, etc. I was trying to get two points across; number 1: data CAN still be recovered after a 35 Guttman pass or 7 pass DoD standard blah blah blah using physical methods such as the use of scanning tunnelling microscopy. Also, simply denting a drive platter or otherwise attempting to damage the drive may not in all cases equal unrecoverability! The drive platters can be removed, remodelled and read using PHYSICAL methods. But also that a company should be realistic as to who their potential adversaries are, and architect a solution that fits their needs. Not everyone needs to spend billions building their secure datacenter deep underground within a vault with two interlocking vaulting doors protecting a pressure floor to determine the weight of only one person before allowing access to authenticate against a vein and retina biometric device. Properly assess your threats, otherwise you will lose the war. ttyl, _________________________________________ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web: http://www.tsintel.com On Wed, 6 Mar 2002, Mike Donovan wrote: > >===== Original Message From John Daniele <[EMAIL PROTECTED]> ===== > >Could you point me towards SOFTWARE (not STM equipment) that would be able > >to recover data that had been OVERWRITTEN from a sector of a drive? > >i.e. dd if=/dev/zero of=/dev/dsk/c0t0* > >Read each physical sector of the drive and explain to me how meaningful > >data is recovered from 00's using software recovery tools? > >John Daniele > > > I think all-inclusive statements, such as that by John in an earlier post, > that a one-time pass will make data "unrecoverable" with standard forensic > recovery methods is simply wrong. It's not a matter of which software could - > or couldn't. It's a matter of what you mean by "standard" forensic recovery > methods. You did not make clear what you meant by "standard" methods. If you > mean Norton or McAfee Undelete when you speak of "forensic" methods - well > then, we're talking different ball parks. Standard "forensic recovery methods" > by big city US Police Departments and the FBI include more in their arsenal > than simple data recovery programs. I am sure (or assume) the true is in > Canada as well. The USA Dept. Of Defense (as you know) has protocols that are > acceptable --- a three-pass method, a seven-pass method, and then there's the > Gutmann method, which is acceptable to anybody, except maybe the Marines - who > must blow their old drives to bits! (Pardon the pun).....But a one-time pass? > Not acceptable for true security. And what good does it do to call something > "unrecoverable" and NOT take into account slack space? Again, it comes back to > the term "standard" -- I think the definition may be different in Canada than > the United States. > - Mike Donovan > >
